skip to Main Content

Complete Python Script to Setup Cisco ACI L3 Out

In Cisco ACI, the L3Out is a means to communicate with networks outside of ACI.

The L3Out uses a routing protocol or static routes  to achieve this communication with external networks . The supported routing protocols at the time of this writing are BGP, OSPF and EIGRP.

On most routers, setting up any of those routing protocols is pretty straight forward, especially if you understand how the protocols work.

ACI is a bit of a  different paradigm. Setting up an L3Out includes configuring a lot of different parts, and each part is easy to get wrong.

The goal of this post / tutorial is to provide a script that anybody can use to easily set up an L3Out, without necessarily fiddling with the parts I referred to above.

Before you can use the script, there are a few things you have to do.  First I’ll talk about those requirements , then I’ll talk about how to use the script.


  1. Configure a Tenant
  2. Configure a VRF in that Tenant
  3. Configure Bridge Domains where you’ll be attaching the L3Out to
  4. The Bridge Domains in step 3, need to be in the same VRF as the L3Out (ie VRF from step 2)
  5. Configure BGP Route Reflectors in ACI

I don’t think any one of these steps is really difficult, even if you have never used ACI before.

Naturally, you’ll also need to configure the external router you’ll be exchanging routes with.

The script assumes you’ll be connecting a trunked interface to ACI from this router, and you’ll be running ospf. The ospf interface type has to be broadcast.

This config snippet below  is from a Nexus 9k running NXOS. A VLAN 55 exits on the switch , and is carried on a trunk interface connected to ACI.

interface vlan55
no shutdown
mtu 9216
ip address
ip ospf mtu-ignore
ip router ospf 0 area

Below is a diagram showing what the setup would look like…

Running the Script

First of all, if you do anything with ACI, you should setup python on your machine. Installing python is outside the scope of this post, but you can look at the Cisco Documentation for some pointers

You’ll need to download the the zip file at the end of this post . The following files should be in the zip file:

  2. configL3Out.yml
  3. sampleconfig.yml

Copy the first 2 files into the same folder . This is the folder you’ll be running the script from. Now let’s talk about the  files for a minute.

You should never have to do anything with the file, except run it. Of course, if you know what you are doing, you can go ahead and modify the file.

The configL3Out.yml file is the one you’ll always have to modify. This is where you lay out the parameters for your L3Out configuration. Below are the complete contents of the YAML file:

USERNAME: <replace with your apic username>
PASSWORD:<replace with your apic password>
APIC_URL: "https://your apic url"
TENANT: <replace with tenant name where L3Out will reside >
VRF: <replace with VRF name>
ROUTER_ID: <Your /32 router id>
VLAN: <VLAN encapsulation>
INT_IP: <Interface IP address>
LEAF: <Leaf ID>
PORT: <Port Number>
L3OutName: "GenericL3Out"
L3OutDomain: "GenericL3OutDom"
NodeProfile: "GenericNodeProf"

You never have to change the last 3 parameters, but you are welcome to do so.

To avoid confusion, the sampleconfig.yml file contains a config with actual parameters filled out:

USERNAME: "admin"
PASSWORD: "myweakpassword"
TENANT: "sampleTenant"
VRF: "sampleVRF"
VLAN: "55"
INT_IP: ""
LEAF: "201"
PORT: "1/1"
L3OutName: "GenericL3Out"
L3OutDomain: "GenericL3OutDom"
NodeProfile: "GenericNodeProf"

How you run the script depends on the OS and python version you are using. But it will generally be something like “python”

Of course, in order to use this L3Out, you’ll need to go into your  Tenant -> Networking -> Bridge Domains -> <Your Bridge Domain> ->Policy -> L3 configurations, and associate the GenericL3Out with your Bridge Domain.

After you run the script, a number of  things  are created for you, in the Fabric -> Access Policies tab:

  1. An L3Out Domain
  2. an AAEP
  3. a VLAN pool with a single VLAN (the one you specify in the YAML file)
  4. An Interface Policy Group

Here’s what I expect you’ll do with those policies. Whatever port (interface) you specified in your YAML file , needs to have the Interface Policy Group (GenericL3OutPolGrp), assigned to it.

If you are using this in production, you almost certainly need to make changes to one or all of items 2-4 to include additional VLANs , domains or just interface configurations.

That’s all. This should be enough to get your ACI connected to an external OSPF network. At some point in the future, maybe I’ll discuss the actual script and how all the parts work.

If any of this is confusing or if you have any questions, please feel free to reach out directly via email : info at bluesodium dot com.

This article was originally published in 2018

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top